Hello Sonar Community,
I am a SonarQube Administrator helping one of our development teams. We are facing a issue where security issues marked as “False Negative” or “Won’t Fix” resurface in subsequent scans, effectively ignoring the status change.
Despite reviewing these findings and marking them multiple times, the issues disappear temporarily but reappear in the next analysis, causing inconsistency in our reporting.
Environment Details:
-
ALM: Azure DevOps (Classic Pipeline)
-
CI System: Azure DevOps Hosted Agent
-
Scanner: SonarScanner for .NET (Integrated with MSBuild)
-
Language: C# / .NET
-
SonarQube Version: Community Build v25.5.0.107428
**
Pipeline Configuration:**
-
We use the “Integrate with .NET” option.
-
Project Key:
Order_Interface_CTLegalUCC...(Hardcoded and consistent). -
Project Version: 1.0 (Hardcoded for testing).
Troubleshooting Steps Attempted: We initially suspected a Project Key mismatch or SCM issue, so we applied the following fixes, but the behavior persists:
-
Project Key: Verified that
sonar.projectKeyis static and exactly matches the project in SonarQube. -
SCM Configuration: Explicitly added
sonar.scm.provider=gitandsonar.scm.disabled=falseto the Prepare Analysis step.
Observations:
-
The issues flagged are identical to the ones previously marked.
-
The component keys (file paths) seem to be consistent, yet SonarQube treats them as “new” issues rather than updating the existing ones.
-
This is happening on a specific .NET project; other projects in the same instance do not seem to exhibit this strict resetting behavior.
Request: Could this be related to how the .NET scanner indexes files in Azure DevOps (perhaps regarding Deterministic builds or linked files)? We are looking for guidance on what specific logs or configuration settings we should look at to understand why the issue tracking is resetting.
Any assistance would be appreciated.